Posts by Bemi Faison

Circle jerk

None of this matters in the real world. Developers know not to rely on browser plug-ins - plain and simple. We will navigate the obstacles MS sets forth in IE 8, 9, and so on, because it's MS's browser.

About F@#king time

In the end, this won't amount to much and Comcast will likely lobby to do this legally in the future (under some pro-america pseudonym). Still, it's nice to see this get some official notice... Where the heck is our American government? Oh... in Iraq.

Not even a good magician

Serious about enterprise, eh? Wow, Apple's tongue is so deep in it's cheek with this offer, I'm surprised the rep didn't choke over the PR script (before making a quick escape stage-left).

Sure the base price is in line, but - whoa!... Can anyone say, "bait n' switch"?

Anyone serious about Macs or computers (as I am), knows to avoid Apple's obscene premium for basic add-ons, like RAM and disk space. This sleight of hand sales tactic doesn't go over to well with professional and enterprise users.

Insane

Not so much barbaric - but how insane are we to continue with such heavy handed band-aids to societal ills?

The longer we ignore the root causes of rising violence (socio-economic, pyschological, familial, etc.), we'll build more menacing weapons. Eventually, in order to protect the "innocent" (also known as the "haves"), we'll allow smiting another's life for their misunderstood (or at worst, inappropriate) action.

Excellent Article

A hearty "thank you" to Jeff Williams, for a clear and concise overview of XSS. I trust that clarity of this kind spurs ingenuity In this case, it could well result in practical frameworks that reverse the predicated increase in XSS vulnerabilities.

Moreover, I hope the people at Mozilla are taking note. Like other open-source/widely-supported software projects, Mozilla needs to make sure their development roadmap addresses today's issues, not only the whim of corporate sponsors.

[ I am not implying anything untoward. Firefox is essentially a public tool. The weight of that relationship bears some obvious responsibilities toward users, above another company's product rollout. ]

Precursor to "802.11y"

For anyone who has seen TPB's (thepiratebay.org) movie "Steal This Film I/II", an attractive crippled internet - biased towards censorship - is exactly how Hollywood/Big-Media can delay their eventual demise.

In other words, regardless of WiHD's success in the marketplace, my money is on this technology snaking it's way into our next (or next-next) wireless spec. Think "802.11y".

We all expect wireless performance improvements, and much is on the horizon (e.g., WiMax, ubiquitous WiFi, etc.). But for now, the killer app in broadband is video, and the public doesn't care who gives them their fix; just so long as it's faster than their last. The old copyright guard need only provide the faster fix, insert special-interest controls in the protocol and voila: the DRM'd internet.

At worst, we'll have to pay for these improvements via higher subscription costs, or a "content-tax". At worst, the global internet community will shatter because of incompatible protocols and the majority will never know what they're missing.

Am I too paranoid here? Not based on the history of corporate greed and the lengths it has taken in self-preservation.

There's no cheese down this tunnel

With the exception of a web browser, when users see a file on their computer they consider it their property... and the concept of "leased" property fails mightily amongst most computer users.

Those of the Mac culture see things this way, and will experience a great offense if this kind of offer is made - even when framed as a pilot program. Apple should be ashamed for introducing this type of transaction, primarily because it goes against a culture they themselves guided away from temporary media (be it "lease" or "subscription").

There may be an untapped market for renting digital movies (especially bad ones), but a rental is no different than a short-term subscription (albeit to a catalog of one movie). Really nice try Apple, but this one will fail (as it should)... The future should look nothing like the past, and "rentals" are an obvious attempt at burdening the user with strings tied to a purchase, even if we don't have to physically return the video at the store this time.

@James Butler - The bandwagon floweth over

Thank you, James, in part for describing a buffer overflow. As a Mac user, I was also concerned about what is possible when this happens on a *nix machine. (I have yet to come across an answer to that question.) However, that was my first comment and it spawned from the hub-bub over which OS is best, secure, etc, etc...

All that has nothing to do with this abysmal article.

My second comment pointedly nailed Goodin's attempt to frame Apple as lax on security, due to infrequent vulnerability notifications and relatively shallow update information. You didn't confuse the two, but you too believe Apple (when applicable) "should STRESS that it [an update] is CRITICAL". Like Goodin, a difference in computing culture gives your opinion.

Apple has never alarmed it's users about updating software - at least not in the ways you have come to expect and advocate. With Apple, an update is an update... Someone invented "critical" updates (probably along with "urgent" emails), but it's ubiquity today is not evidence of a superior notification policy. Developers choose how and when to communicate what (regarding security), based on their understanding of and commitment to their users.

But I digress. Culture aside, both you and Goodin encourage a notification process which is part of a largely failed security policy amongst the Windows industry: tell, tell and tell all (with added meta-data, like "critical" and "optional"). In this age, the practice seems a veritable appendix yearning for removal.

I do understand the call for Apple to incorporate some guidance for users updating their products - in this case, when the fix arrives long after the vulnerability was discovered. Put straight: Apple earns poor marks for a slow response to a vulnerability, not because they neglected to label the fix "critical".

To directly counter your call for Apple to label/prioritize it's updates, consider the impact of similar human-engineering tricks elsewhere (US examples, follow): cigarette warnings, national terror alert levels/color... Need I go on? People will do what they want, no matter the urging, fear-mongering or manipulation (which usually results opposite the desired outcome). So, from this user's perspective, let an update be an update.

The hullabaloo is over Goodin's poor thesis on, what is - in the larger context of security - a non-issue: What and when to tell the customer. Notification is a part of the security ecosystem, but the larger context is: How to keep the technology secure. Unfortunately Goodin loses focus of his own complaint, recklessly confuses non-notification of security as non-security, and concludes with the tired charge that Apple is bad at it. Furthermore, Goodin maintains a bias that security is one known thing which should be done one known way.

Poor research and composition are one thing, but an incurious journalist (from El Reg, no less) is unforgivable.

Just what is the ruler to which Goodin measured Apple's wayward security? The renown Windows industry, of course! Goodin practically describes the daily operation of Windows security purveyors (like Microsoft and Symantec): tell everyone about the problem. Though a useful and lucrative practice in it's own right, to this date (susceptibility aside) that industry has a higher degree of known exploits. Therefore, the fact that Goodin elects this policy as best-practice is ludicrous and wildly dis-ingenious.

Neither did Goodin contrast the security notification policies of Apple, Microsoft, and Linux communities, or how they have evolved as such. Not once was a user profile mentioned - the notification needs of enterprises against end-users, third-party vendors against small-businesses, etc. Apparently, it's all the same to Goodin...

Considering other articles by Goodin, I can't imagine how this sub-par subjective rant made it to El Reg. Notwithstanding his lengthy low-brow retort to earlier comments (see the "bootnote"), this journalistic fiasco resembles a slashdot forum. The bickering of facts alone is evidence of unbalanced analysis and under-whelming research.

I do hope El Reg will review their editorial policies, to protect readers from future blog-entries-disguised-as-articles. [Anyone's welcome to rephrase that and invent a snappy acronym for said pandemic.]

Information Abyss

With the advent of OS X, Mac users were thrust into a brave new world. Most, including myself, were unfamiliar with the inner-workings of UNIX. Although not out of treachery, I do suspect Apple ("Computer", then) did use it's marketing muscle to wash over the arguably rare vulnerabilities of it's OS underpinnings.

What I've learned and trust, is that OS X is rock-solid against external exploits. What I don't know is what an exploit can achieve once breached. I think we could use some clarity on this.

Sure, "it'll just crash the app", at worst the system, and I'm actually none too concerned of that happening. But, no one (especially the Mac fanatics) ever talks about a payload: a script that gains admin or root access. I mean, it was done during that silly "break my Mac mini" challenge... And what about a payload which simply deletes the user's home folder?

Look, no Reg'r has their head in the sand about security. We all know "it's" possible, regarding OS X, but I think knowing the "what" that is possible would save a lot of debating. So, who understands the reach of an OS X exploit? I'd love for El Reg (readers or writers) to share their knowledge, instead of defending it.

Department of Moron Security

It's pretty obvious they were using Outlook or some IE-based email reader. It's mind-bogglingly ridiculous that the government hasn't installed a *nix OS... one that protects itself from moronic and malevolent users. I thought we'd learn after losing billions in data and productivity in corporate America.

Good grief, I can open any email message without worry, simply because I'm not using Windows. And, I don't care how much it's "patched" or what services are disabled. Continual patches means someone is using/researching exploits before MS can respond.

Unless the government uses a transparent, explicitly customizable open operating system, or creates one themselves, a Windows node on a sensitive network is completely insane. I'm blown away when I see those duds at the government bureaus (e.g., US customs agency, dept. of motor vehicle, etc.).

It seems Bushie's own computer would need to be compromised before anyone gets how serious this has become. (I can imagine the hook that ultimately phishes him: "Osama's hideout seen on Google maps!")

More devices trying to leapfrog PC evolution

Just how the iPhone made it clear that a computer can serve as a phone, better than a phone trying to be a computer, the Kindle is simply what the next generation ultra-mobile PC will become.

The Kindle seems simply a proprietary internet protocol, delivering much of what we can get today via the web. In other words, it won't have major adoption and will be outdated once PC manufacturers catch-up to the Kindle's form/ease (assuming either are worth replicating).

Put simply, the Kindle is an example for content distribution. I predict other innovators will "get it", perfect the group/wiki/subscription model, and somehow, then, the Kindle will quickly lose it's value.

Why FF is pushing the release of their next-gen browser

Ok, to all those who don't understand why an open-source outfit like FF would need to meet their own deadlines. The gist: follow the money.

Firstly, open-source development does not exclude itself from the competitive commercial market. In fact, it needs to be ahead of it, given the general bias that "commercial" means "better".

Secondly, we need to understand who is backing FF and why, namely Google. Google has a large stake in FF (some reg article, talks about it), and I'm sure they want their searchers to use browsers that can handle all the goodies Google is cooking up - namely ajax/comet-goodies. It's the same reason MS wants us to use IE: monopolize the platform. (Ever heard of Windows or iPod?)

I had a third reason, involving companies paying for FF software improvements, but that's less founded, and probably passe.

FF might develop out of truly principled open-source passions, but they are also delivering on a promise to someone paying their bills. The better their browsing platform, the higher retention of said funders, and the more funding they receive. Imagine when goverment agencies make FF the standard browser, or Nokia funds FF to polish off their mobile browser.

Mozilla is a software company, like any other. Being open-source is like McDonalds using containers from recycled materails: a nice sentiment that is still about profits.

Strategy for prevention needed - Rackspace could up the game.

You've all mentioned how Rackspace needs to secure it's backup electrical facilities, but this incident highlights their need to follow the less traveled path of investing in the improvement of their primary commodity.

In much the same way that Rackspace might build a bleeding edge facility, the company (and it's like) should blaze the path for alternative energy sources. I don't mean backup alone, but as a primary power source, using bleeding edge power generation technology.

Find another company that is on this patj, invest in them, and reap the rewards for using their breakthrough method. Renewable energy issues aside, the purpose is to further reduce dependencies.

Sure, they likely receive kickbacks from their home town headquarters for using the local power stations and contributing to town treasury. But not-spending is the best way to save money - not paying discounts - and that means higher revenues (further enhancements, etc).

The larger benefit (the one I'm most interested in) is that of the alternative energy industry. When big companies risk-and-research (invest in burgeoning industries) it can quickly trickle down to city governments and individual households.

If I wanted to reassure customers, I'd announce investments/partnerships with an alternate energy outfit, pointing to a goal to be a umpteen-percent less dependent on local power.

The best competitive advantage is when you're the only player. Rackspace should see this opportunity to do more than fix it, and prevent it.

Fool's Silver

@ryan - yes, it seems very much like SVG, from the excellent example in Rob's excellent article. I fear though that if the XAML used becomes more verbose (ie, transparent), Silverlight would convince a lot of SVG fanbois (myself included) to switch over.

SVG is already media-crippled and (not without a lot of overhead) can only simulate 3D environments. Regrettably Mozilla and Safari have forked their implementations and the technology has idled for years. Successfully inserting video via XML?! Touche MS, touche...

My only hope is that developers will see how wack MS's CLR is, and how that's their lock-in to their larger development suite. Silverlight simply extends the MS CLR to the web (again, like .NET did to servers, and JScript tried on browsers), but this time via very attractive, open-sourcey XML and JavaScript syntax.

I'm not fooled. I'm not trading open standards for convenient proprietary frameworks. I'm not interested in any plug-in engine. Yes, Adobe flash ain't free, but it's self-contained, it's own beast, and doesn't have a long string tied to MS hq. Besides, I'd rather do rich applications via one flash file, instead of four extra/exposed files and syntaxes.

Big Oil & Coal

Hmmm... I recall California setting a goal to have a percentage of zero-emission cars by now. Guess who killed that initiative? With some 100-Trillion dollars worth of oil business left and enough coal to burn (and burn), I can't see how history won't repeat itself.

Who killed the electric car? Watch the movie and you'll find the same culprits that will make this another pipe-dream.

What's that called?

Microsoft isolated itself the day it decided to use JScript instead of JavaScript/ECMAscript. Irregardless of their nefarious reasons and malevolent intent, the language and name demonstrates their commitment to undermine anything non-MS and open-source.

Same with bastardizing open-source languages via .NET, having them masquerade as the real thing - that being Java, C# and JavaScript. Why developers acknowledge MS as an authority on languages they've abused is beyond me.

Where's the beef?

The server wars between companies and other interests have never concerned me. I've made enough websites, the right and wrong way, to know that if it works - it works. Because most of these middle-layer protocols are just that, protocols, it doesn't much matter how a protocol is implemented - just that it's implemented.

I have no love for .NET simply because it's closed enough to bother my conscience and my workflow. During my ten years of web development experience, I've had to code in a multitude of languages, and prefer Open Source languages for their published benefits and my private concern to support languages which support standards; Microsoft doesn't, period.

But not liking .NET doesn't mean I am bothered by it's existence. Frankly, I wish I'd knew .NET confidently, because it would mean turning down fewer jobs. And in the end, being able to do the work and serve the client is what matters to all, not how it gets done.

Writing on the wall

Over the past four years, my entire family has migrated to the Mac. The whole "fanboy" thing escapes me - perhaps because I'm pragmatic - so whatever works for you works for you... Which is why I can't explain their choices. "Halo effect" or osmosis, they're now Mac users.

Yes, I'm the family's Mac admin now, but I was before they used OS X. Problems do arise, but none like the hellfire exploits seen under Windows.

I don't care why OS X is safer, or whether my family enjoys it or loathes the experience. When their personal data is linked to the Wild Wide Web, I care that they are 99.9999% less likely to be abused by malcontents. I care that the people closest to me are happy and safe.

Computing without the mortal fear of exploits is akin to driving a car that's not addicted to oil (EV-1 anybody?): You know that what you're doing is different, ahead of the curve, good for you and good for others.

Some will recognize this woman's plight as the "writing on the wall" for their computing choices. Hopefully, they'll consider a non-Windows system.

A poorly understood medium

Should newspapers be sued because their content isn't printed in braille? Are the internet extensions of printed publications any different?

Should Target send their book catalog's with an audiobook version? I don't see how their website is any more "public" than a private shopping experience with their book catalog?

Kudos to Nick for describing some obvious best-practices for web development; and as he said, web developers from the new guard (aka, Web 2.0'ers) do most of them automatically. But looking at the ADA's argument - that Target's website is a place of "public accommodation" - my question is if and when a website is a place of public accommodation?

Moreover, how much can web developers do (or are to blame) if the devices which make the web accessible to disabled persons are not yet mature? The Closed Captioning system (according to Wikipedia) appeared in 1980 - 50 years after the advent of television! I think some valuable parallels can be drawn between television and the internet, and our understanding of the latter is required before we demand that it behave a certain way.

These efforts by the ADA will bring about similar solutions/mandates governing the entire www, for various disability groups. But their approach is not conducive towards that end, and instead seeks to demonize Target, bully them (setting a dangerous precedent for all site owners), or (at worst) sensationalizes their cause.

To not serve disabled customers is poor business practice. Period. Target, and any other company/website that does not engage reasonable accessibility requests, deserve public lambasting.

But not serving a customer is not a criminal act, nor so reprehensible as ADA claims, as to warrant government intervention - which (because we're so inventive) usually means some punitive law. ADA claims to know the reason why Target is not serving their constituents: they are discriminating against disabled persons. Really...

Target is not discriminating, merely coping - albeit poorly - with a nascent Internet that, even for veteran webmasters, does not have a polished turnkey solution for every form of communication.

Do Plan

So do nothing, until we panic? Why wait for a doomsday scenario when you can plan to avoid one?

I'm no scientist, but even a scientist will tell you that their tests only provide predictions. When it comes to the planet we live on, I'd prefer to be hyper-concerned, if not panicked. I'd rather act than react.